Online businesses must give visitors clear and comprehensive information about their website's use of cookies and obtain visitors' consent when setting cookies. It is not enough just to make short cookie disclosures within your website privacy policy. Visitors must be made aware that cookies are being set and how they can control cookie use.

Yes. There is no need to obtain consent for cookies which are strictly necessary to operate the website. ICO guidance says cookies which are necessary to maintain website security, power online shopping baskets and balance website server load do not need consent. All other cookies do, however – even those used to provide analytics or remember visitor preferences.

No. How to get consent is up to you. In some cases, providing simple cookie notices prominently on the face of the website that link to easy-to-use cookie controls will be enough to infer visitors' consent if they do not change their cookie preferences. The most important thing is to make visitors aware that cookies are being served and how to control this.

First, perform a technical audit of your website to identify what cookies it serves. If you don't have in-house capability to do this, consider using an outsourced solutions provider to do this;

Second, assess the intrusiveness of the cookies your website serves. This will inform how prominent your consent notices must be. This stage will also help identify which cookies are strictly necessary and so exempt from consent;

Third, decide on an appropriate consent strategy. For websites making non-intrusive uses of cookies (for example, serving cookies for analytics of visitor preference purposes), an implied consent strategy will likely suffice. For websites making more intrusive cookie uses (for example, tracking visitors across multiple domains), a more express consent strategy will be appropriate;

Lastly, implement your consent strategy. This will require technical and operational changes to your website o deliver prominent cookie notices and obtain visitors' consent. You may either choose to make these changes in-house or, again, use an outsourced solutions provider to help you.

Aside from the above there are a number of quick wins online businesses can achieve. For example, where your audit reveals that you are using cookies you no longer need, get rid of those cookies - you will then have no need to ask for consent for them.

Similarly, if you are serving persistent cookies with long expiry periods, reduce those expiry periods. This will help minimise the intrusiveness of those cookies and so better enable reliance on implied consent strategies.

Lastly, when working with third party technology partners, have them explain to you what cookies they serve and what they do. This information will enable you to make clearer, more meaningful cookie disclosures and improve the validity of your visitor consents.

Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

There are many UK companies now that are developing cookie-less technologies to allow for sites to easily remove cookies from their sites.eVisit Analyst is a cookie-less analytics system which allows for sites to gather anonymous analytics data without writing cookies.- www.evisitanalyst.com

It will be interesting to see how other companies adapt their technology to respect the privacy of website visitors over the coming months.